Who Needs Anonymous When You've Got the IRS?

While not many taxpayers consider the Internal Revenue Service a friend, most do expect the agency to protect their data like a brother.

That's why news revealed last week about a database the IRS posted online of filings for so-called Section 527 organizations, such as political campaign committees, was particularly disturbing. (see Breach Diary below).

The IRS removed the database from public view after it was informed by a watchdog group,
Public.Resource.Org, that it contained the Social Security numbers of tens of thousands of Americans.

"This Section 527 database is an essential tool used by journalists, watchdog groups, congressional staffers, and citizens," wrote Public Resource founder Carl Malamud in a statement posted online.

"While the public posting of this database serves a vital public purpose (and this database must be restored as quickly as possible), the failure to remove individual Social Security numbers is an extraordinarily reckless act," he added.

When the IRS posted the database online, it failed to redact Social Security numbers, most them located in appendices to the filings, explained Todd Feinman, founder, president and CEO of
Identity Finder.

"Thousands of Social Security numbers were there for anyone to take," he told TechNewsWorld.

"Social Security numbers never expire, and they're harvested by identity thieves," Feinman said. "Even if people have credit monitoring for the next few years, 10 years from now their Social Security Number could be sitting on an underground website and used to commit all sorts of identity fraud."

What's worse, this isn't the first time the IRS has done this, he added. An analysis by Identity Finder of 2.9 million 990 tax returns of nonprofit organizations from 2001 exposed 472,866 Social Security numbers.

"If you're an identity thief, you have a one in six chance of downloading a 990 from 2001 and getting a Social Security number," Feinman said. "Those are better odds than Vegas."

BYOD Civil Wars

When workers can use their own devices at the office, it's supposed to boost productivity. Apparently, it can jump start suspicion, too.

Last week,
Aruba Networks released a survey of 3,000 employees around the world that showed significant numbers of them distrust IT departments that try to control data on their personal devices.

Among the workers polled, almost half in the U.S. (45 percent), a quarter in Europe (25 percent) and nearly a third in the Middle East (31 percent) said they were "worried" about IT accessing their personal data.

That distrust could be fed by how organizations attempt to manage personal devices brought to work by their employees. One of the most common ways that's done is through mobile device management systems that give corporate administrators all sorts of power over a worker's precious phone -- from controlling what apps can be installed on it to wiping all the data from it.

Less intrusive solutions have begun appearing in the market, however, that allow personal data on a smartphone to be segregated from company data. Aruba makes such a solution; so does BlackBerry.

BlackBerry's solution on its branded hardware, called "Balance," is particularly elegant.

"We've built Balance directly into the operating system so you don't have to download an app to segregate your information," Gregg Ostrowski, BlackBerry's senior director of enterprise developer and tech partnerships, told TechNewsWorld.

"We're able to segregate your work and personal data at the file level," he continued, "so a user doesn't have to do anything and an administrator can act on information that's pertinent to work while completely leaving the personal perimeter alone."

While Balance makes administrative control of a device appear less intrusive, the Chinese Wall between private and professional is still strong. "We even prevent you from copying and pasting data from one side to the other," Ostrowski said.

Know Thy Adversary

At times, cyberwarriors can be a bit myopic in preparing their defenses against attacks by intruders. They may focus on their adversary's tools at the expense of analyzing their motivations. That can be a mistake, maintained Jason Lancaster, senior intelligence analyst for security research field intelligence at HP.

"Identifying hackers' motivations can play a huge role in predicting how an attack will materialize," Lancaster told TechNewsWorld.

"We find that the motivations of the attacker play a key role in how the attack appears to the target," he continued. "Where the attack targets an organization and how it is visible to those looking for indicators of compromise are directly determined, in many cases, by those motivations."

"If you know what you are looking for, you will be able to tailor your defenses based on similar attack patterns," he added.

Another benefit of that kind of intelligence, said Lancaster, is that it allows members of the defense community to weed out the most credible threats so they can focus their resources on the threats that pose the greatest risks. That can impact a company's bottom line in a favorable way.

"By integrating this additional level of security intelligence with the business decision processes, an organization is able to make strategic decisions about where to focus their limited security resources, including personnel and capital," Lancaster explained. "This will allow them to concentrate resources on the highest risk areas and the areas that will yield the highest return on investment."

Breach Diary

July 8. Boing Boing reports IRS was removed from Internet database of filings for political organizations, like campaign committees, after it was discovered by a watchdog group, Public.Resource.Org, that the agency had failed to redact tens of thousands of Social Security numbers in the data.

July 10. Anonymous posts 3,400 records it claims are customer email addresses, names, usernames, and passwords for Brickcom Corporation, a maker of high-resolution surveillance equipment used by corporations and law enforcement. The company did not confirm the breach.

July 10. Missouri Attorney General Chris Koster finds the state's data security laws were not violated in a breach involving 79 grocery stores in the Schnuck Markets chain and affecting 2.4 million payment cards.

Jun. 10. Konami, a Japanese game maker, reports one of its online portals experienced an onslaught of illegal login attempts that enabled 35,000 accounts to be compromised. Information exposed in breach included users' actual names, addresses, telephone numbers and email addresses.

July 11. Long Beach (Calif.) Memorial Medical Center notifies 2,864 patients their medical records may have been breached by an employee. Information compromised includes name, sex, date of birth, home address, phone number, account number, insurance information and the reason for admission. Patients were offered one year of free credit monitoring and access to an information hotline. Hospital said there's no reason to believe data was used in malicious manner or in a way that would impact patient care.

July 11. Texas Health Harris Methodist Hospital in Fort Worth begins notifying patients some 277,000 records on microfiche may have been compromised. The decades-old records were found in a Dallas parking lot instead of being destroyed by a contractor.